1 files changed, 105 insertions, 0 deletions

diff --git a/cgi/roster b/cgi/roster
new file mode 100755
index 000000000..46ce1fc09
--- /dev/null
+++ b/cgi/roster
@@ -0,0 +1,105 @@
+#!/usr/local/bin/python
+
+"""Produce subscriber roster, using listinfo form data, roster.html template.
+
+Takes listname in PATH_INFO."""
+
+# We don't need to lock in this script, because we're never going to change
+# data. 
+
+import sys
+sys.path.append('/home/mailman/mailman/modules')
+
+import os, string
+import cgi
+import mm_utils, maillist, htmlformat, mm_cfg, mm_err
+
+try:
+    sys.stderr = mm_utils.StampedLogger("error", label = 'mmroster',
+                                        manual_reprime=1, nofail=0)
+except IOError:
+    pass                        # Oh well - SOL on redirect, errors show thru.
+
+
+def main():
+    doc = htmlformat.Document()
+    form = cgi.FieldStorage()
+    list = get_list()
+
+    bad = ""
+    # These nested conditionals constituted a cascading authentication
+    # check, yielding a 
+    if not list.private_roster:
+        # No privacy.
+        bad = ""
+    else:
+        auth_req = ("%s subscriber list requires authentication."
+                    % list.real_name)
+        if not form.has_key("roster-pw"):
+            bad = auth_req
+        else:
+            pw = form['roster-pw'].value
+            # Just the admin password is sufficient - check it early.
+            if not list.ValidAdminPassword(pw):
+                if not form.has_key('roster-email'):
+                    # No admin password and no user id, nogo.
+                    bad = auth_req
+                else:
+                    id = form['roster-email'].value
+                    if list.private_roster == 1:
+                        # Private list - members visible.
+                        try:
+                            list.ConfirmUserPassword(id, pw)
+                        except (mm_err.MMBadUserError, 
+                                mm_err.MMBadPasswordError):
+                            bad = ("%s subscriber authentication failed."
+                                   % list.real_name)
+                        else:
+                            # Anonymous list - admin-only visible
+                            # - and we already tried admin password, above.
+                            bad = ("%s admin authentication failed."
+                                   % list.real_name)
+    if bad:
+        doc = error_page_doc(bad)
+        doc.AddItem(list.GetMailmanFooter())
+        print doc.Format()
+        sys.exit(0)
+
+    replacements = list.GetStandardReplacements()
+
+    doc.AddItem(list.ParseTags('roster.html', replacements))
+    print doc.Format()
+
+def get_list():
+    "Return list or bail out with error page."
+
+    list_info = mm_utils.GetPathPieces(os.environ['PATH_INFO'])
+    if len(list_info) != 1:
+        error_page("Invalid options to CGI script.")
+        sys.exit(0)
+    list_name = string.lower(list_info[0])
+    try:
+        list = maillist.MailList(list_name)
+    except mm_err.MMUnknownListError:
+        error_page("%s: No such list.", list_name)
+        sys.exit(0)
+    if not list._ready:
+        error_page("%s: No such list.", list_name)
+        sys.exit(0)
+    list.Unlock()
+    return list
+
+def error_page(errmsg, *args):
+    print apply(error_page_doc, (errmsg,) + args).Format()
+
+def error_page_doc(errmsg, *args):
+    """Produce a simple error-message page on stdout and exit.
+
+    Optional arg justreturn means just return the doc, don't print it."""
+    doc = htmlformat.Document()
+    doc.AddItem(htmlformat.Header(2, "Error"))
+    doc.AddItem(htmlformat.Bold(errmsg % args))
+    return doc
+
+if __name__ == "__main__":
+    main()